*pdst = dst;
return srclen;
}
Basically, it wasn't smart enough to realize that dst would
always be non-NULL when the memcpy occurred, let alone that it
would also always be large enough. For such false positives,
it's generally necessary to insert pointless code simply to
silence the error, thus complicating the function and
increasing the cost of maintenance. I still believe that the
benefits of static analysis vastly outweigh the cost, but I'd
love to see more intelligence in branch analysis if nothing
else.

realloc may return NULL. Perhaps they are catching that condition?
Ali

*pdst = dst;
return srclen;
}
Basically, it wasn't smart enough to realize that dst would
always be non-NULL when the memcpy occurred, let alone that it
would also always be large enough. For such false positives,
it's generally necessary to insert pointless code simply to
silence the error, thus complicating the function and
increasing the cost of maintenance. I still believe that the
benefits of static analysis vastly outweigh the cost, but I'd
love to see more intelligence in branch analysis if nothing
else.

realloc may return NULL. Perhaps they are catching that condition?

I suppose so. Maybe I should change the if statement to a loop and see
what happens.

What about if srclen is 0? Won't memcpy then be passed a null pointer
via dst? Does the static analyzer look inside memcpy to see if it uses
the pointer when the size is 0?
-Steve

memcpy may get passed a null, but it's never uninitialized.
The analysis is wrong and so is the code. doh!
--
My enormous talent is exceeded only by my outrageous laziness.
http://www.ssTk.co.uk